Transcription

1 Jisc Safe Harbour NOTE ON THE COURT OF JUSTICE OF THE EUROPEAN UNION'S JUDGMENT ON 'SAFE HARBOUR' ARRANGEMENTS FOR THE TRANSFER OF PERSONAL DATA FROM THE EEA TO THE USA KEY POINTS Safe Harbour Agreement no longer a valid basis for EEA to US transfers of personal data Organisations considering the use of other mechanisms, such as Model Clauses and BCRs Possible that such alternative mechanisms will be undermined by the same concerns regarding the activities of US intelligence agencies as influenced the decision of the court on the Safe Harbour Agreement Institutions need to review their arrangements with US service providers including for cloud services Jisc will review arrangements with Jisc cloud partners - Microsoft, Google and AWS Guidance expected from the ICO and European data protection authorities in the near future with ICO stating that it understands that institutions will need time to transition to new arrangements INTRODUCTION On 6 October 2015 the Court of Justice of the European Union (CJEU) ruled that the 'Safe Harbour' Agreement, which facilitates the flow of personal data from the European Economic Area to the United States of America, is invalid. 1 Jisc has prepared this note to help UK education and research institutions (Institutions) to understand the judgment and its potential impact. This note does not constitute legal advice. It provides a summary of some of the main data protection issues which arise from the CJEU's judgment. Institutions should seek their own legal advice regarding their compliance with any applicable data protection legislation including as regards the transfer of personal data controlled by them to the United States of America. 1 Available at:

2 RELEVANT LEGAL OBLIGATIONS A key principle of the EU's Data Protection Directive (which was implemented in the UK by the Data Protection Act 1998) places limits on the ability of Institutions to transfer personal data outside of the EEA. Such transfers are only permitted where "adequate protections" are in place, or where the destination country has been pre-approved by the European Commission (Commission) as having adequate data protection laws. Although the US has not been designated as meeting these 'adequacy' requirements, the Commission and the US agreed the Safe Harbour Agreement in The Safe Harbour Agreement facilitates the transfer of personal data from the EU to the US. Under it, US organisations self-certified compliance with the requirements of the Safe Harbour Agreement, which enabled them to meet the 'adequacy' standards outlined in the Directive. THE CJEU'S JUDGMENT The CJEU's judgment came in a case referred to it from the High Court of Ireland in connection with a complaint raised by a privacy group, 'Europe v Facebook' about the way Ireland's data protection authority handled concerns it had raised with regard to Facebook's data transfer arrangements. The Irish data protection authority argued that it was bound by the Commission's decision that the Safe Harbour Agreement adhered to EU data protection laws. On that basis it had declined to investigate the complaint. The CJEU has now ruled that: the Safe Harbour Agreement does not provide adequate protection of personal data, as required by the Directive. In particular, it said that there are insufficient restrictions on how the US authorities can use personal data transferred from the US to the EU, and on that basis the Safe Harbour Agreement did not respect privacy in the way required by the Directive. The CJEU's concerns over the ability of US authorities to access personal data is of particular note. Such concerns might be considered equally relevant in any challenge over transfers of personal data to the US under other legal constructs, such as binding corporate rules or the EU Model Clauses; national data protection authorities (such as the Irish data protection authority, and the UK Information Commissioner's Office ("ICO")) are not bound by the Safe Harbour Agreement; and national data protection authorities are free to investigate complaints about data transfers when new issues come to light (but the CJEU will still have the final say on whether decisions taken by the Commission in relation to data transfers are valid or not). EU MODEL CLAUSES AND BCRs The judgment means that many organisations which currently rely on the Safe Harbour Agreement to transfer personal data to the US will need to find other legal mechanisms to do so. The two most commonly used other mechanisms are: The EU Model Clauses Organisations have been able to use the EU Model Clauses since the EU Commission created them in The Clauses were created by the Commission in 2001 and can be used to govern the transfers of personal data outside of the EEA and to meet the 'adequacy' standards outlined in the Directive. Sometimes organisations make changes to the Model Clauses. This may have an adverse impact on compliance. The Article 29 Working Party (the advisory body comprising representatives from each of the 28 EU data protection authorities) has previously stated that amendments of this nature may be acceptable in principle. However, the ICO 2

3 has indicated that any amendments or inconsistent provisions might in certain circumstances render the model clauses non-compliant. Binding Corporate Rules (BCRs) Companies can implement binding corporate rules for data transfers to other members of their company group who are based in non-eea countries. BCRs involve organisations committing to a code of conduct for handling and protecting personal data within their group in a way that complies with EU data protection law. This mechanism only applies to intra-group transfers. It has limited applicability as it cannot be used to enable 'customer > IT service provider' transfers of personal data. KEY QUESTIONS ABOUT THE JUDGMENT What is the ICO's view? The ICO has stated that, "the judgment means that businesses that use Safe Harbor will need to review how they ensure that data transferred to the US is transferred in line with the law. We recognise that it will take them some time for them to do this. It is important to bear in mind that the Safe Harbor is not the only basis on which transfers of personal data to the US can be made. Many transfers already take place based on different provisions." Institutions should note, in particular, that: the ICO will be issuing guidance for organisations over the coming weeks, after consulting with other EU data protection authorities; and the ICO has made clear that it wants data controllers to have time to transition to other mechanisms of transferring personal data to the US. Any ICO guidance will help Institutions to develop their approach to dealing with this issue. In the meantime, Institutions should bear in mind that, whilst the judgment is limited to the Safe Harbour Agreement, mechanisms such as the EU Model Clauses and BCRs could come in for scrutiny for similar reasons, i.e. concerns regarding the access the US authorities may have to personal data that is transferred to the US. What action should Institutions take if they have service providers which use Safe Harbour? Institutions should review arrangements with US service providers. If service providers or business partners are relying on the Safe Harbour Agreement to validate the transfer of personal data to the US, Institutions should ask for an update from them on how they will ensure compliance with EU data protection laws on the transfer of data outside of the EEA. Institutions should consider whether the measures are sufficient to ensure such transfers are lawful. This will not be an easy assessment to make given the concerns expressed by the CJEU on the surveillance activities undertaken by the US authorities. What additional guidance can Institutions expect on the ruling in the coming days/weeks? 3

4 The Article 29 Working Party will meet in the near future to discuss the implications of the judgment 2. It is hoped that they will provide guidance on the practical application of the judgment as soon as possible. The ICO will issue its own guidance in the coming weeks. Institutions should monitor ICO press releases for announcements and guidance. Will there be a new version of 'Safe Harbour' in the future? Institutions should note that, following the Edward Snowden revelations on the surveillance activities of US intelligence agencies, the EU Commission has been in negotiations with the US over a new 'Safe Harbour'-style regime. The pace of progress on this regime is dependent on how effectively some of the issues identified in this CJEU decisions can be addressed by the US authorities. It is not expected that negotiations will conclude any time soon. How has the technology sector responded to the ruling? Trade body the Internet Association (which has members such as Google, Amazon, Facebook and Uber) stated that the judgment could present "significant challenges" for small businesses and consumers. 3 Microsoft has moved to reassure its cloud customers about the impact of the ruling. 4 Its President and chief legal officer Brad Smith stated that "some customers may ask if this means that they will no longer be able to transfer their customer data from the European Union to the United States. For Microsoft's enterprise cloud customers, we believe the clear answer is that yes they can continue to transfer data by relying on additional steps and legal safeguards we have put in place." Jisc assumes this to be a reference to Microsoft's use of the EU Model Clauses. What mechanisms do Microsoft, Google and Amazon use for data transfers outside of the EEA? Jisc appreciates that Institutions who use cloud computing solutions will be particularly keen to understand how the judgment affects arrangements they may already have in place with cloud providers. Jisc is engaging directly with the cloud providers with whom it deals to understand how they propose to address any concerns raised by the decision of the CJEU. Jisc will report the outcomes of such discussions to Institutions in due course. In the meantime, the table below sets out the approaches commonly adopted by Microsoft, Google and Amazon in connection with their cloud offerings. Please note that we have prepared this table in the context of terms/agreements reviewed previously by Jisc in procuring cloud services (as indicated next to the cloud provider) and does not necessarily represent the position across all terms/agreements of those cloud providers across all their different product suites: Service Provider Safe Harbour? EU Model Clauses? Have the EU Model Clauses been modified? 2 Available at: 3 Available at: 4 Available at 4

5 Microsoft (Online Services Terms) Microsoft's Online Services Terms commit to abide by the Safe Harbour Agreement. In addition, for the Online Services which are subject to Microsoft's 'Data Processing Terms' (note this does not cover all Online Services) Microsoft states that all transfers of personal data will be covered by the EU Model Clauses. Yes Google (Google Apps for Education) No Yes Yes Amazon Web Services (various AWS terms) Amazon Web Services has previously relied on both Safe Harbour and the EU Model Clauses, depending on the particular transaction. Institutions should check the particular terms of their own contracts with Amazon Web Services in that regard. N/A (case by case basis) 5

To cloud or not to cloud, that is a very serious question EEMA / TrustCore Legal challenges in a post Safe Harbour and pre GDPR cloud world 18 November 2015 hans.graux@timelex.eu Context Major cloud providers

CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING CCBE response regarding the European Commission Public Consultation on Cloud Computing The Council of Bars and Law

DATA TRANSFERS WITHIN A MULTINATIONAL GROUP SAFELY NAVIGATING EU DATA PROTECTION RULES MAY 2013 INTRODUCTION Multinational corporations increasingly have a need to share their data throughout their group.

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS Mat Wright www.britishcouncil.org CONTENTS Purpose of the code 1 Scope of the code 1 The British Council s data protection commitment and

Data transfers in the Cloud Rapporteur: Emmanuelle Bartoli Meeting date: 28 th March 2014 1 The purpose of this document is to explore options for how contracts between Cloud providers and consumers and

Application of Data Protection Concepts to Cloud Computing By Denitza Toptchiyska Abstract: The fast technological development and growing use of cloud computing services require implementation of effective

THE TRANSFER OF PERSONAL DATA ABROAD MARCH 2014 THIS NOTE CONSIDERS THE SITUATION OF AN IRISH ORGANISATION OR BUSINESS SEEKING TO TRANSFER PERSONAL DATA ABROAD FOR STORAGE OR PROCESSING, IN LIGHT OF THE

(Draft for consultation) Please note that this draft is under consultation with stakeholders in colleges and university services, before refinement and approval by the appropriate University Committee.

ARTICLE 29 Data Protection Working Party 417/16/EN WP235 Work programme 2016 2018 Adopted on 2 February 2016 This Working Party was set up under Article 29 of Directive 95/46/EC. It is an independent European

EUROPEAN COMMISSION Brussels, 6.11.2015 COM(2015) 566 final COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL on the Transfer of Personal Data from the EU to the United States

August 2011 Report on Cloud Computing and the Law for UK FE and HE (An Overview) Please Note: This guidance is for information only and is not intended to replace legal advice when faced with a risk decision.

Data Protection and Cloud Computing: an Overview of the Legal Issues Christopher Kuner Partner, Hunton & Williams, Brussels Research Assistant, University of Copenhagen Nordic IT Law Conference Copenhagen,

PRINCIPLES OF THE TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY Introduction The continuous globalization of the world economy influences the international transfer of personal data. The transfer of personal

Dean Bank Primary and Nursery School Secure Storage of Data and Cloud Storage January 2015 All school e-mail is disclosable under Freedom of Information and Data Protection legislation. Be aware that anything

Information Commissioner s Office ICO response to the discussion paper on the Rehabilitation of Offenders Act 1974 14 November 2013 1 Contents Introduction Response Further issues About the ICO The ICO

Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,

White Paper Catalysts driving successful decisions in life sciences. Safe Harbor Is Invalid What Is It and What Shall We Do? by Jessica Santos, Ph.D. November 2015 www.kantarhealth.com On October 6, 2015,

The reform of the EU Data Protection framework - Building trust in a digital and global world 9/10 October 2012 Questionnaire addressed to national Parliaments Please, find attached a number of questions

Safe Harbor Questionnaire This questionnaire is aimed at gathering relevant information with regard to the Safe Harbor certification of the data importer. It should be completed by personnel with knowledge

ARTICLE 29 DATA PROTECTION WORKING PARTY 16/EN WP 238 Opinion 01/2016 on the EU U.S. Privacy Shield draft adequacy decision Adopted on 13 April 2016 This Working Party was set up under Article 29 of Directive

UNOFFICIAL TRANSLATION Written opinion on the application of the Wet bescherming persoonsgegevens [Dutch Data Protection Act] in the case of a contract for cloud computing services from an American provider

HOW SAFE IS YOUR DATA? Are you at risk of making the headlines for all the wrong reasons? What do you need to consider when choosing a cloud service? G-Cloud gives central and local government departments

Cloud Computing Legal Considerations for Data Controllers CLOUD COMPUTING LEGAL CONSIDERATIONS FOR DATA CONTROLLERS What is cloud computing and why is it relevant? Cloud computing can be described as technology

EUROPEAN COMMISSION Brussels, XXX [ ](2011) XXX draft COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS

Response to the UK Ministry of Justice s Call for Evidence on the European Commission s Data Protection Proposals Cloud Legal Project, Queen Mary, University of London This response is made by Christopher

Information Governance in Dental Practices Summary of findings from ICO reviews September 2015 Executive summary The Information Commissioner s Office (ICO) is the regulator responsible for ensuring that

MEDICAL INNOVATION BILL 1. Introduction The Academy of Medical Royal Colleges (the Academy) speaks on standards of care and medical education across the UK. By bringing together the expertise of all the

Just Net Coalition statement on Internet governance (Just Net Coalition is a global coalition of civil society actors working on Internet governance issues) All states should work together to provide a

FACEBOOK STATEMENT RICHARD ALLAN NOVEMBER 11, 2013 [I. INTRODUCTION] My name is Richard Allan, and I am the Director of Public Policy for Facebook in Europe, the Middle East and Africa. I have been with

Comments and proposals on the Chapter IV of the General Data Protection Regulation Ahead of the trialogue negotiations later this month, EDRi, Access, Panoptykon Bits of Freedom, FIPR and Privacy International

Intellectual Property & Data Protection 2015: Legal developments you need to know about Welcome This is a short guide to some of the key legal developments for intellectual property and data protection

UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION The Data Protection Act 1998 (DPA) was passed in order to implement the EU Data Protection Directive (95/46/EC) and applies to all data relating to, and

PART I: INTRODUCTION AND BACKGROUND Purpose This Data Protection Binding Corporate Rules Policy ( Policy ) establishes the approach of Fluor to compliance with European data protection law and specifically

24 th May 2016 New EU Data Protection legislation comes into force today. What does this mean for your business? After years of discussion and proposals, the General Data Protection Regulation ( GDPR )

EUROPEAN COMMISSION Brussels, 27.11.2013 COM(2013) 846 final COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL Rebuilding Trust in EU-US Data Flows EN EN 1. INTRODUCTION: THE

CO-OPERATIVE GOVERNANCE A Summary of the Code of Best Practices for Co-operatives INTRODUCTION The main pillars of the Good Governance are transparency, accountability, risk management and control. Though

Personal data and cloud computing, the cloud now has a standard by Luca Bolognini Lawyer, President of the Italian Institute for Privacy and Data Valorization, founding partner ICT Legal Consulting Last

Welcome to the nineteenth edition of the information governance bulletin Our regular bulletin about information governance and the work of the IG transition programme Publication Gateway Reference: 02465

Nottinghamshire County Council Data protection audit report Executive summary October 2015 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data

CSA Survey Results Government Access to Information July 2013 EXECUTIVE OVERVIEW During June and July of 2013, news of a whistleblower, US government contractor Edward Snowden, dominated global headlines.

Opinion of the European Data Protection Supervisor on the Communication from the Commission to the European Parliament and the Council on "Rebuilding Trust in EU-US Data Flows" and on the Communication

1 AIRBUS GROUP BINDING CORPORATE RULES 2 Introduction The Binding Corporate Rules (hereinafter BCRs ) of the Airbus Group finalize the Airbus Group s provisions on the protection of Personal Data. These

101010 100101 1010 101 Factsheet on the Right to be 100 Forgotten ruling (C-131/12) 101 101 1) What is the case about and what did 100 the Court rule? 10 In 2010 a Spanish citizen lodged a complaint against

Today, our personal information is being collected, shared, stored and analysed everywhere. Whether you are browsing the internet, talking to a friend or making an online purchase, personal data collection

Data Protection Policy 1. Introduction to the Data Protection Policy Everyone who works for Chorley Council uses personal data in the course of their duties. Chorley Council must gather and process personal

Information Governance Framework June 2015 Information Security Framework Janice McNay June 2015 1 Company Thirteen Group Lead Manager Janice McNay Date of Final Draft and Version Number June 2015 Review

Privacy in the cloud computing, and the company concerned is required to submit a risk analysis to DNB. 3 Cloud computing entails the saving, processing and using of company data on the servers of a cloud

The European Union as a Constitutional Guardian of Internet Privacy and Data Protection: the Story of Article 16 TFEU SHORT SUMMARY There is a wide perception that governments are losing control over societal

Scottish Public Services Ombudsman Response to the Department for Business Innovation and Skills Consultation on the Implementation of the Alternative Dispute Resolution Directive and the Online Dispute

INFORMATION GOVERNANCE STRATEGY NO.CG02 Applies to: All NHS LA employees, Non-Executive Directors, secondees and consultants, and/or any other parties who will carry out duties on behalf of the NHS LA.

COMMISSION OF THE EUROPEAN COMMUNITIES Brussels, 14.3.2005 COM(2005) 82 final GREEN PAPER on applicable law and jurisdiction in divorce matters (presented by the Commission) {SEC(2005) 331} EN EN GREEN